When disaster strikes, effective telecommunications for emergency response personnel involved in recovery efforts is essential. Since telecommunications capability can be severely affected due to excessive traffic in a disaster situation, loss of infrastructure, and potential denial of service attacks, certain schemes can be included in the telecommunications network to enable and facilitate emergency response communications.
One such scheme is the United States' Government Emergency Telephone Service (GETS). GETS is a set of switch-based and Advanced Intelligent Network (AIN) features which allow authorized users to gain access to enhanced call completion features, including Alternate Carrier Routing, High Probability of Completion (HPC), HPC Detection and SS7 IAM Message Priority, HPC Trunk Queuing, HPC Exemptions From Network Management Controls, Enhanced Alternate Carrier Routing, and Default Routing. To gain access to GETS, a user first dials an access number, then enters an authentication PIN, and then enters the desired destination number. GETS operates on the major long-distance carrier networks, most local networks, including wire-line, cellular and PCS systems, and government-leased networks such as the Federal Telecommunications System (FTS2000) and the Defense Information System Network (DISN). Thus, GETS access is available from most every telephone line in the country.
Other countries may have implemented such national telecommunications preference schemes to handle emergencies within their borders. However, some emergency situations require coordination on an international level. In these situations, communications may be required from a country that has not invoked a national preference scheme into a destination country that has. These communications may also transit through intermediate countries that may or may not have invoked their national preference schemes. Standards document International Telecommunications Union, Telecommunications Standardizations Sector (ITU-T) Recommendation E.106, “Description of an International Emergency Preference Scheme (IEPS)”, March, 2000, which is hereby incorporated by reference, describes an interoperability scheme to allow communications between the essential users in one country and their correspondents in another during a crisis.
In addition to same or similar features as those in GETS to enhance call completion, another key aspect of IEPS is end-to-end call marking such that IEPS calls are recognized as such and afforded preference in the network even as the calls traverse national boundaries.
In the current trust model, it is assumed that IEPS authentication will take place at the national level where the call is placed and no more authentication, such as at subsequent national network entry switches, is needed. However, this may not be the case. For example, hostile groups in foreign countries or even hostile foreign governments may try to disrupt emergency telephone service in a destination country experiencing a disaster by overloading the emergency telephone service in the destination country. This could be accomplished, for example, by hacking into the originating country's telecommunications network through physical access to an SS7 cable or via a packet protocol and an IP gateway, and flooding the destination country's network with bogus IEPS calls. This is akin to a denial of service attack on the Internet.
The latest working draft of E.106 (Apr. 28, 2003) recommends authenticating entity electronic signature validation as a means to thwart such a denial of service attack. The recommendation suggests that the originating network include in the call establishment messages all necessary information so that the intermediate and terminating networks may validate the call and decide on the appropriate level of preferential treatment without the need to query the originating network. The necessary information would include authenticating entity identity and an electronic signature of the authenticating entity. Each IEPS call could be validated at the network entry of each national boundary traversed between the originating and destination networks.
Authenticating entity identities could be, for example, each country's government agency charged with the authentication of national emergency service calls. Other authenticating entities could, for example, be international agencies such as the International Red Cross should they choose to offer the service to their agents and are doing an authentication process. The inclusion of authenticating entity identity allows other national networks to quickly determine if there is an arrangement to handle such calls, from that entity as preference calls. It is estimated that the creation of only a few hundred such IEPS authenticating entities should suffice for the worldwide international telecommunications network.
The electronic signature of the authenticating entity would be used to confirm the identity of the authenticating entity without further queries back to the originating network. Since electronic signature technology is evolving, it has been proposed that the initial message also include a field identifying the type of electronic signature being used so that more sophisticated signatures can be introduced over time should they become needed. It is envisioned that a public key/private key pair be used and that a time stamp be included in the key so that spoofing attempts with an intercepted key would not be successful.
Network entry switches (or a designated switch/switches or element/elements in the network) would perform or coordinate an authenticating entity validation function for each IEPS call and either grant or deny preferential treatment to the call based on the policy to be followed toward the originating network authenticating entity. However, the validation schemes used to validate the electronic signatures can be quite processor intensive. IEPS call volumes tend to be heaviest when there is an emergency, and this is the very time that the receiving networks may be in significant overload because of non-IEPS calls occurring related to the emergency. While it would be tempting to skip the validation process during periods of massive overload, this would leave the receiving networks open to denial of service attacks. Such an attack could flood the receiving network's remaining limited capacity and could cause valid IEPS calls to fail.
Denial of service attacks could also come from a hostile government. In this case, the authenticating entity and the electronic signature may both be valid, but the volume of IEPS calls originating from the hostile government would be well beyond any measure of reasonableness and be intended to interfere with legitimate emergency recovery communications rather than to assist with recovery.